diff options
author | Will Newton <will.newton@linaro.org> | 2013-08-16 12:54:29 +0100 |
---|---|---|
committer | Will Newton <will.newton@linaro.org> | 2013-09-11 09:42:43 +0100 |
commit | b73ed247781d533628b681f57257dc85882645d3 (patch) | |
tree | d7ba5fb3f9a1dbe14f06849baedece8a03cf4ae7 | |
parent | 55e17aadc1ef17a1df9626fb0e9fba290ece3331 (diff) | |
download | glibc-b73ed247781d533628b681f57257dc85882645d3.tar glibc-b73ed247781d533628b681f57257dc85882645d3.tar.gz glibc-b73ed247781d533628b681f57257dc85882645d3.tar.bz2 glibc-b73ed247781d533628b681f57257dc85882645d3.zip |
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | malloc/malloc.c | 7 |
2 files changed, 13 insertions, 0 deletions
@@ -1,5 +1,11 @@ 2013-09-11 Will Newton <will.newton@linaro.org> + [BZ #15857] + * malloc/malloc.c (__libc_memalign): Check the value of bytes + does not overflow. + +2013-09-11 Will Newton <will.newton@linaro.org> + [BZ #15856] * malloc/malloc.c (__libc_valloc): Check the value of bytes does not overflow. diff --git a/malloc/malloc.c b/malloc/malloc.c index 3148c5f57d..f7718a9c9a 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; |